If you are the CISO of your organization and implementing a security programme, what questions shall you ask yourself to help realizing a successful programme rollout ? No, it is not about what software to use, what hardware to install, what process to put in place or even what vulnerabilities you are going to remediate or mitigate. In fact, they are:

Are we doing the right things ?

Are we doing them the right way ?

Are we getting them done well ?

Are we getting the benefits ?

Four simple questions about your security programme, all about the business results – but not technology, schedule, and resources. Four questions about the reality such that your company can make informed decision. In addition, each of the four questions can be further elaborated, for examples:

Are we doing the right things ?

What technology, processes are proposed ?

For what business outcome ?

How do the deliverables within the programme contribute ?

Are we doing them the right way ?

How will it be done ?

What is being done to ensure that it will fit with other current or future capabilities ? (e.g. Business / Operational / Technical capabilities)

Are we getting them done well ?

What is the plan for doing the work ?

What resources and funds are needed ?

Are we getting the benefits ?

How will the benefits be delivered ?

What is the value of the security programme ?

You shall answer all the questions based on relevant, current accurate business-focussed information. By that time, I am sure, you will find that to have a successful security programme, it is no longer depending on the technology, process and policy only, but also an investment that has an enormous impact on creating and sustain business value.

The daily work as information security practitioner is rather a chaotic one. The challenges has nothing to do with the zero-day attack that may happen any second or project deadlines. After more than 12 years of experiences as auditor, security manager and security consultant, I found the security domain is growing exponentially as user and business are more aware of risks in their even more Internet connected lifestyle. A security manager job duty is expanding from purely IT departments controls to application controls and even to privacy compliance.

With such rapid development of risk landscape, daily work of a security practitioner is no different from studying three to four PhDs concurrently with hundreds of email arriving your mail box. Research in information security and risk management is difficult as it is still evolving and also closely tied to cultural and management style. Research skills are important but doing it alone without the directions and collaboration with other professionals is like the toil of Sisyphus.

“make the knowledge accessible and usable”

The most rewarding experiences in my career is the discussion and sharing with people in the industry. By joining activities and meetings organised by PISA, CSA, ISC2 and ISO SC27, I met with friends and mentors who are both intellectual and forwarding thinking. The idea of having a blog connecting information security professionals in Asia is coming from these experiences.

The satellite image at the top only shows the Asia regions are physically separated by ocean. It does not show there are also legislation, languages and ideology separations. These logical separations create some obstacles for close collaboration. Unlike security professionals in US and EU where they could meet and collaborate relative conveniently, Asia professionals will need to rely more on cyberspace for idea exchanges.

In short, this team blog has one goal as stated in the About page ” to inspire more information security professionals and practitioners to come forward and share their knowledge, understanding, and experience with the community.”